Hackers could track subway users via phone accelerometer data

Researchers from Nanjing University have found a way in which hackers could track a smartphone user on the subway – even when limited reception is available.

Researchers from Nanjing University have found a way in which hackers could track a smartphone user on the subway – even when limited reception is available, reports The Register.

The scientists designed software that was able to capture motion sensor data, which on Android does not have the same data protections inherent in other functions such as GPS, reports Time. Combining this with subway mapping data, the researchers were able to track their volunteers around the Nanjing subway with 92 percent accuracy.

The researchers explained: “The cause is that metro trains run on tracks, making their motion patterns distinguishable from cars or buses running on ordinary roads. Moreover, due to the fact that there are no two pairs of neighboring stations whose connecting tracks are exactly the same in the real world, the motion patterns of the train within different intervals are distinguishable as well.”

If executed in the real world, this attack would represent a significant privacy threat, as it would allow stalkers to track their subjects around their everyday city routine – even under ground. As the researchers wrote, “For example, if an attacker can trace a smartphone user for a few days, he may be able to infer the user’s daily schedule and living and working areas, and thus seriously threaten her physical security.”

The team suggested one solution that would involve adding noise into Android sensor data to scramble the location tracking, meaning that apps requiring accelerometer data would trigger permission prompts alerting the user.

For now though, one telltale sign that a mobile phone is being tracked in this way comes through far greater battery consumption. As The Daily Dot notes, “to track someone using this method, a hacker would have to continuously access the phone’s accelerometer, draining significant power no matter how well the malware was concealed.”